What should not be sent to AI tools?
Personally identifiable client information, confidential financial records, legal matters under privilege, health data, anything under NDA, and credentials. If in doubt, don't paste it.
Default list to keep out
Names tied to private context, social-security or government IDs, banking data, full health records, attorney-client communications, anything under NDA, and any password, token, or API key.
How to handle the edge cases
When a workflow truly needs sensitive input, use a tool with a contractual privacy posture you have reviewed, and pseudonymize where possible.
When to use this
- You are about to paste a client document into an AI chat.
- You are setting up an AI tool for the team and writing a one-page policy.
What to avoid
- Assuming consumer AI tools have enterprise data protections by default.
- Letting one team's exception become a company-wide habit.